Internet Banking News

January 22, 2017

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The Department of Justice (DOJ) has made clear that it interprets the ADA as applicable to websites. Is your web site compliant with the Americans with Disabilities Act? For the past 20 years, our bank web site audits have covered the ADA guidelines. Help reduce any liability, please contact me for more information at examiner@yennik.com.

FYI - NIST updates Cybersecurity Framework, seeks comment - The National Institute of Standards and Technology (NIST) issued a draft update on Tuesday to its Framework for Improving Critical Infrastructure Cybersecurity, aka the Cybersecurity Framework, aimed at forging stronger cybersecurity measures. https://www.scmagazine.com/nist-updates-cybersecurity-framework-seeks-comment/article/630892/

FYI - How much cyberinsurance is enough? - How a top security manager feels about cyberinsurance often may have a lot to do with the type of company he or she works for. https://www.scmagazine.com/how-much-cyberinsurance-is-enough/article/632114/

NSA to share raw intercepted data with other intel agencies - The National Security Agency (NSA) was granted expanded powers to exchange information gathered in its global surveillance operations. The intelligence organization will now be allowed to share raw data with the federal government's 16 other intelligence agencies, according to a report on Thursday in the New York Times. https://www.scmagazine.com/nsa-to-share-raw-intercepted-data-with-other-intel-agencies/article/631334/

FBI withdrew national security letter after Cloudflare lawsuit - Cloudflare, served with a national security letter at the beginning of 2013, managed to get the FBI to withdraw its request but has been under a gag order preventing it from speaking about the matter since. http://www.zdnet.com/article/fbi-withdrew-national-security-letter-after-cloudflare-lawsuit/

Giuliani will form Trump cybersecurity team - Former New York City Mayor Rudy Giuliani will form a cybersecurity team for President-elect Donald Trump, the Trump transition team said Thursday. https://www.scmagazine.com/giuliani-will-form-trump-cybersecurity-team/article/631160/

Missouri bill limits warrantless stingray use - Rep. Keith Frederick (R-Mo.) introduced state legislation that would prohibit warrantless stingray use in the state except in emergency situations. https://www.scmagazine.com/missouri-bill-hb-403-limits-warrantless-stingray-use/article/631033/

GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug - GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug. http://www.theregister.co.uk/2017/01/11/godaddy_pulls_unvalidated_digital_certs/

Attorney files civil litigation against Chicago for use of stingrays without warrant - An attorney has filed a civil lawsuit against the City of Chicago and various members of the Chicago Police Department (CPD), claiming that their warrantless use of stingray devices on individuals attending a 2015 public protest was a violation of their constitutional rights. https://www.scmagazine.com/attorney-files-civil-litigation-against-chicago-for-use-of-stingrays-without-warrant/article/631615/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Crims shut off Ukraine power in wide-ranging anniversary hacks - Phishing, denial of service, and remote exploitation part of hacking banquet - Hackers of unknown origin cut power supplies in Ukraine for a second time in 12 months as part of wide-ranging attacks that hit the country in December. http://www.theregister.co.uk/2017/01/12/ukraine_power_outtage_hack/

Amazon customers targeted in phishing scam - Sophos researchers pulled the covers off a phishing scam hitting Amazon customers who are looking for deals on electronics that are too good to be true. https://www.scmagazine.com/amazon-customers-targeted-in-phishing-scam/article/631319/

Giuliani's website goes down, riddled with security flaws - Just hours after Donald Trump's transition team said former New York Mayor Rudy Giuliani would advise the incoming president on cybersecurity issues and build the administrations cybersecurity team, Giuliani Security's website went down. https://www.scmagazine.com/giulianis-website-goes-down-riddled-with-security-flaws/article/631598/

Cellebrite loses 900GB of customer data in breach of old server - Cellebrite, which rose to fame in 2016 when the FBI allegedly approached it to crack open the iPhone 5c of San Bernardino shooter Syed Farook, has suffered a 900GB data breach. https://www.scmagazine.com/cellebrite-loses-900gb-of-customer-data-in-breach-of-old-server/article/631902/

Cyberattack burns out marijuana tech company's servers - For once, marijuana enthusiasts have actual reason to feel paranoid. https://www.scmagazine.com/cyberattack-burns-out-marijuana-tech-companys-servers/article/631922/

3,600 patients affected by breach at the Children's Hospital Los Angeles - In mid-December a laptop belonging to a doctor working at the Children's Hospital Los Angeles and the Children's Hospital Los Angeles Medical Group was stolen. https://www.scmagazine.com/3600-patients-affected-by-breach-at-the-childrens-hospital-los-angeles/article/632387/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 5: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.

  Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Risk of transaction repudiation is already an issue with conventional transactions such as credit cards or securities transactions. However, e-banking heightens this risk because of the difficulties of positively authenticating the identities and authority of parties initiating transactions, the potential for altering or hijacking electronic transactions, and the potential for e-banking users to claim that transactions were fraudulently altered.

  To address these heightened concerns, banks need to make reasonable efforts, commensurate with the materiality and type of the e-banking transaction, to ensure that:

  1) E-banking systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that customers fully understand the risks associated with any transactions they initiate.
  2) All parties to the transaction are positively authenticated and control is maintained over the authenticated channel.
  3) Financial transaction data are protected from alteration and any alteration is detectable.

Banking organizations have begun to employ various techniques that help establish non-repudiation and ensure confidentiality and integrity of e-banking transactions, such as digital certificates using public key infrastructure (PKI). A bank may issue a digital certificate to a customer or counterparty to allow for their unique identification/authentication and reduce the risk of transaction repudiation. Although in some countries customers' rights to disclaim transactions is provided in specific legal provisions, legislation has been passed in certain national jurisdictions making digital signatures legally enforceable. Wider global legal acceptance of such techniques is likely as technology continues to evolve.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

ENCRYPTION

Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.

Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability.

Properly used, encryption can strengthen the security of an institution's systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti - virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.

Although necessary, encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. The products used and administrative controls should contain robust and effective controls to ensure reliability.

Encryption can impose significant overhead on networks and computing devices. A loss of encryption keys or other failures in the encryption process can deny the institution access to the encrypted data.

Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. For instance, authenticators should be encrypted at a strength sufficient to allow the institution time to detect and react to an authenticator theft before the attacker can decrypt the stolen authenticators.

Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. Generally speaking, authenticators are always encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network, and also may be encrypted within the institution.

Encryption cannot guarantee data security. Even if encryption is properly implemented, for example, a security breach at one of the endpoints of the communication can be used to steal the data or allow an intruder to masquerade as a legitimate system user.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 9 - Assurance

9.4 Operational Assurance

Design and implementation assurance addresses the quality of security features built into systems. Operational assurance addresses whether the system's technical features are being bypassed or have vulnerabilities and whether required procedures are being followed. It does not address changes in the system's security requirements, which could be caused by changes to the system and its operating or threat environment.

Security tends to degrade during the operational phase of the system life cycle. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security (especially if there is a perception that bypassing security improves functionality). Users and administrators often think that nothing will happen to them or their system, so they shortcut security. Strict adherence to procedures is rare, and they become outdated, and errors in the system's administration commonly occur.

Organizations use two basic methods to maintain operational assurance:

! A system audit -- a one-time or periodic event to evaluate security. An audit can vary widely in scope: it may examine an entire system for the purpose of reaccreditation or it may investigate a single anomalous event.

! Monitoring -- an ongoing activity that checks on the system, its users, or the environment.

In general, the more "real-time" an activity is, the more it falls into the category of monitoring. This distinction can create some unnecessary linguistic hairsplitting, especially concerning system-generated audit trails. Daily or weekly reviewing of the audit trail (for unauthorized access attempts) is generally monitoring, while an historical review of several months' worth of the trail (tracing the actions of a specific user) is probably an audit.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.